Black Arrow Cyber Advisory 05/04/2022 – Sophos Remote Code Execution Vulnerability identified.

Executive Summary

A critical flaw has been discovered in Sophos Firewall, allowing for remote code execution within the User Portal and Webadmin areas of the product. The bug impacts Sophos Firewall Network Access Control (NAC) systems, running versions v18.5 MR3 [18.5.3] and lower. The bug, achieving a 9.8 on the Common Vulnerability Scoring System (CVSS), allows attackers to remotely execute code on the device.

What’s the risk to my business?

Due to the severity of the bug, and the ability for attackers to gain remote code execution on a critical perimeter defence, the risk to businesses operating Sophos Firewalls is high, however if the device is configured using device access best practices as recommended by Sophos, then the bug is mitigated.

What can I do?

The bug has been reported, and a patch has been issued. Businesses operating these devices are urged to implement as soon as possible. Note: If “Allow automatic installation of hotfixes” feature is enabled, then the hotfixes should have already been installed.

Additional mitigations of ensuring that the User Portal and Webadmin portal are not exposed to the Wide Area Network (WAN) should be applied if not already in place following device access best practices issued by Sophos.

Technical Summary

Sophos have issued a patch for bug CVE-2022-1040, which was disclosed on 25/03/2022. Older, unsupported versions will require an upgrade in order to apply this fix. Follow Sophos Firewall: Verify if the hotfix for CVE-2022-1040 is applied to confirm that the hotfix has been applied. No further technical details on the bug are available at this time.

Need help understanding your gaps, or just want some advice? Get in touch with us.